29 Weaponized Python PyPI Packages Aimed to Infect Developers With Malware

The Python Package Index (PyPI) has been found to contain 29 potentially malicious packages. In most of these cases, you will find that the obfuscated code drops an info-stealer called “W4SP” on infected machines.

Others take advantage of malware that has allegedly been designed for the sole purpose of teaching. 

W4SP Stealer has compromised PyPI, and this malware is primarily intended for the purpose of infecting developers’ systems with malicious code created by the malware.

Import injection

Cybersecurity analysts at Phylum performed extensive research in which they concluded that the initial steps of this type of attack are simple copies of popular libraries and the introduction of malicious __import__ statements into a codebase.

EHA

It is important to point out that the attacker gained an advantage from copying and pasting an existing, legitimate package since the PyPI landing page for the package is generated from the setup.py as well as the README.md file.

Additionally, through this method, the attackers could immediately create a real-looking landing page that holds primarily working legitimate links and everything else. 

A brief glance could lead one to believe that this package is also legitimate if it is not thoroughly examined.

Malicious PyPI packages

In total, there are 29 software supply chain security packages that were recently identified by the experts at Phylum, which we have listed below:-

  • algorithmic
  • colorsama
  • colorwin
  • curlapi
  • cypress
  • duonet
  • faq
  • fatnoob
  • felpesviadinho
  • iao
  • incrivelsim
  • installpy
  • oiu
  • pydprotect
  • pyhints
  • pyptext
  • pyslyte
  • pystyle
  • pystyte
  • pyurllib
  • requests-httpx
  • shaasigma
  • strinfer
  • stringe
  • sutiltype
  • twyne
  • type-color
  • typestring
  • typesutil

Ripening Tactics

Most packages, especially the earlier ones, contain an easy-to-inject malicious import into either the setup.py or the init.py files. We can see in the image below that requests-httpx has been able to copy the requests package and add it to its own package.

Following this, the attacker changed tactics slightly and was unable to make another similar attempt to compromise the system. They took advantage of Python’s rare clause to hide the import rather than placing it in a prominent place on the screen, so as not to catch any distractions.

Moreover, in the screenshot below, it comes from the malicious package typesutil called setup.py. 

Obscured Python

There are around 71K characters in this mess, which means that there is quite a bit of mud to trudge through to get to the bottom of this mess. It is important to note that this is typical for an obfuscated Python program

During the process, it became apparent that there was something that wasn’t quite right. Since the attacker’s tactics changed again after this, so, the analysts even suspect that they also recognized this.

The supply-chain attack is executed for:-

  • There are dozens of packages available in the Python Package Index that contain malignant code and blatantly copy legitimate packages.
  • Malicious code is injected into custom error classes, such as setup.py, and __init__.py statements.
  • Once that Base64 encoded string is decoded, it contains a Python script that will be written into a temporary file, and execution will be performed on it.
  • It is possible to access any number of URLs through that temporary file.
  • A compressed byte object is executed from each URL using light obfuscated Python code.
  • The W4SP Stealer malware is contained within that byte object once it has been decompressed.

However, as per the reports that the researchers have asserted that soon they will launch more malware like this in the near future. To jutify this they claimed that this is an ongoing attack that changes tactics constantly from a determined attacker.

Secure Web Gateway – Web Filter rules, web activity tracking and malware protection – Download Free E-Book

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.